A systematic literature review on threat modeling in agile projects
DOI:
https://doi.org/10.51359/2317-0115.2025.265731Keywords:
security, agile methods, threatsAbstract
Context: Threat modeling is an important activity for security, however its use in agile development is difficult. Problem: For threat modeling to be applied in agile development, it is necessary to understand its challenges and good practices. Method: To understand the current scenario of using threat modeling in agile methodologies, an SLR was carried out using digital libraries and snowballing to obtain articles that could answer the research questions. Results: The study identified the challenges, practices and tools used. Contributions: The study brought out the main trends in the studied area.
References
BALDASSARRE, M. T., BARLETTA, V. S., DIMAURO, G., GIGANTE, D., PAGANO, A., & PICCINNO, A. Supporting Secure Agile Development: the VIS-PRISE Tool. Proceedings of the 2022 International Conference on Advanced Visual Interfaces (AVI 2022). Association for Computing Machinery, New York, NY, USA, Article 69, 1–3, jun, 2022.
BALDASSARRE, M., BARLETTA, V., CAIVANO, D., & PICCINNO, A. Integrating Security and Privacy in HCD-Scrum. CHItaly 2021: 14th Biannual Conference of the Italian SIGCHI Chapter (CHItaly '21). Association for Computing Machinery, New York, NY, USA, Article 37, 1–5, jul, 2021.
BECK, K. et al. Manifesto para Desenvolvimento Ágil de Software. Disponível em: <https://agilemanifesto.org/iso/ptbr/manifesto.html>. Acesso em: 7 maio. 2022.
BERNSMED, K., CRUZES, D. S., JAATUN, M. G., & IOVAN, M Adopting threat modelling in agile software development projects. Journal of Systems and Software, Volume 183, 111090, ISSN 0164-1212, jan, 2022.
BERNSMED, K; JAATUN, M. Threat modelling and agile software development: Identified practice in four Norwegian organisations. 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), Oxford, UK, p. 1-8, jun, 2019.
CASOLA, V., DE BENEDICTIS, A., RAK, M., & VILLANO, U.A novel Security-by-Design methodology: Modeling and assessing security by SLAs with a quantitative approach. [s.l.] Journal of Systems and Software, 2020. v. 163.
CRUZES, D., JAATUN, M. G., BERNSMED, K., & TØNDEL, I. A. Challenges and Experiences with Applying Microsoft Threat Modeling in Agile Development Projects. (IEEE, Ed.)Adelaide, SA, Australia: 2018 25th Australasian Software Engineering Conference (ASWEC), 2018.
DE VICENTE MOHINO, J. et al. The Application of a New Secure Software Development Life Cycle (S-SDLC) with Agile Methodologies. Electronics, v. 8, n. 11, p. 1218, 2019.
Draw.io. Disponível em: <https://www.draw.io/>. Acesso em: 2023
GEIB, J, SANTOS, B., BERRY, D., BALDWIN, M., & BARBARA, K. Microsoft Threat Modeling Tool threats. Disponível em: <https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats>. Acesso em: 10 out. 2022.
GEIB, J. et al. Threat Modeling Tool feature overview. Disponível em: <https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-feature-overview>. Acesso em: 12 out. 2022.
GEIB, J. et al. Microsoft Threat Modeling Tool. Disponível em: <https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool>. Acesso em: 15 out. 2022.
GRANATA, D.; RAK M.; SALZILLO G. MetaSEnD: A Security Enabled Development Life Cycle Meta-Model. 17th International Conference on Availability, Reliability and Security (ARES '22). Association for Computing Machinery, New York, NY, USA, Article 152, pp. 1–10, August, 2022.
HERNAN, S., LAMBERT, S., & OSTWALD, T. Uncover Security Design Flaws Using The STRIDE Approach. Disponível em: <https://learn.microsoft.com/en-us/archive/msdn-magazine/2006/november/uncover-security-design-flaws-using-the-stride-approach>. Acesso em: 12 jul. 2022.
KITCHENHAM, B.; CHARTERS, S.. Guidelines for performing Systematic Literature Reviews in Software Engineering (EBSE 2007-001). Keele University and Durham University Joint Report. jun, 2007.
KVAMME, S, GUDMUNDSEN, E., OYETOYAN, T. D., & CRUZES, D. S Data Protection Fortification: An Agile Approach for Threat Analysis of IoT Data. 12th International Conference on the Internet of Things (IoT '22). Association for Computing Machinery, New York, NY, USA. pp. 151–154. January, 2023
MCGRAW, G. Software security. IEEE Security & Privacy. Volume: 2, Issue: 2, March-April 2004), p. 80–83, 2 ago. 2004.
NGUYEN, J.; DUPUIS, M. Closing the Feedback Loop Between UX Design, Software Development, Security Engineering, and Operations. New York, NY, United States: Association for Computing Machinery, p. 93-98, 2019.
OUESLATI, H.; RAHMAN, M.; OTHMANE, L. Literature Review of the Challenges of Developing Secure Software Using the Agile Approach. Toulouse, France: 10th International Conference on Availability, Reliability and Security, p. 540-547, 2015.
OWASP Top Ten. Disponível em: <https://owasp.org/www-project-top-ten/>.
OWASP Threat Modeling Project. Disponível em: <https://owasp.org/www-project-threat-model/>.
PEIXOTO, M.; SILVA, C. A gamification requirements catalog for educational software: results from a systematic literature review and a survey with experts. Marrakech, Morocco: SAC 2017: Symposium on Applied Computing, abr. 2017.
RINDELL, K.; HYRYNSALMI, S.; LEPPÄNEN, V. Aligning security objectives with agile software development. Porto, Portugal: XP ’18 Companion: 19th International Conference on Agile Software Development, maio 2018.
RINDELL, K., RUOHONEN, J., HOLVITIE, J., HYRYNSALMI, S., & LEPPÄNEN, V. Security in agile software development: A practitioner survey. Information and Software Technology, v. 131, n. 106488, mar. 2021.
RINDELL, K.; HYRYNSALMI, S.; LEPPÄNEN, V. Busting a Myth: Review of Agile Security Engineering Methods. Reggio Calabria Italy: ARES ’17: International Conference on Availability, Reliability and Security, ago. 2017.
Security Development Lifecycle (SDL) Practices. Disponível em: <https://www.microsoft.com/en-us/securityengineering/sdl/practices>. Acesso em: 26 jun. 2023.
SHOSTACK, A. Elevation of Privilege: Drawing Developers into Threat Modeling. 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14). Anais...San Diego, CA: USENIX Association, ago. 2014.
SOUZA, R. et al. Material Suplementar. Disponível em: <https://docs.google.com/document/d/19Qxm0YVn_JL3egC68m_Y-18qkII0VbNdtyTjrfTb894/edit>.
TØNDEL, I.; CRUZES, D. S. Continuous software security through security prioritisation meetings. Journal of Systems and Software, v. 194, n. 111477, 2022.
TØNDEL, I., CRUZES, D. S., JAATUN, M. G., & SINDRE, G. Influencing the security prioritisation of an agile software development project. Computers & Security, v. 118, n. 102744, 2022.
Threat Modeling. Disponível em: <https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling>. Acesso em: 12 set. 2023.
WOHLIN, C., RUNESON, P., HÖST, M., OHLSSON, M. C., REGNELL, B., & WESSLÉN, A. Experimentation in software engineering. Berlim, Germany: Springer, 2024.
XIONG, W.; LAGERSTRÖM, R. Threat modeling: A systematic literature review. Computers & Security, v. 84, p. 53-69, 2019.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 Rafael Souza, Carla SIlva, Jéssyka Vilela, Mariana Peixoto

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Os trabalhos submetidos são de responsabilidade exclusiva de sua autoria, que preserva o seu direito autoral.
É permitida a citação dos trabalhos publicados sem prévia autorização desde que seja explícita a menção à fonte da RMP